When Didier Stevens recently took a closer look at some Internet Explorer malware that he had found, something surprised him somwehat. He discovered that the IE-targeted malware had been obfuscated with null-bytes (0×00) and when run against VirusTotal, he found that fewer than half of the products identified the sample as malware (15 of 32). When all null-bytes were removed, the chances of successful detection improved, though not as much as would normally be expected (25 of 32 detections).When Didier tried adding more null-bytes to the sample he found that the number of successful detections decreased steadily until, with 254 0×00 bytes between each character, McAfee was the last one standing.
Going to 255 or greater 0×00 bytes knocks McAfee off the perch yet leaves IE quite happily rendering the malicious code (which gives a hint at some internal limits of McAfee’s engine). Internet Explorer’s interpretation and handling of mangled HTML and supported scripting input certainly contributed to making the Internet accessible to a wider audience, though now it is leading to making the platform more accessible to malware authors (if that was possible).
(link)
0 Responses to “Anti-virus products fail simple malware test”